Engineering Blog


Unveiling Hidden Threats: Detecting Unauthorized Access in Kubernetes with eBPF

Kubernetes reigns supreme as the container orchestration platform, but its vast power demands robust security. This blog explores eBPF (Extended Berkeley Packet Filter), a powerful tool for safeguarding your Kubernetes clusters.

What is eBPF?

eBPF allows you to run custom code within the Linux kernel for monitoring and control. It acts like a Swiss army knife, offering insights into various areas of your cluster.

Unleashing eBPF’s Potential in Kubernetes

eBPF offers a diverse toolbox for Kubernetes, including:

  • Network Monitoring: Identify suspicious activity and anomalies in network traffic.
  • Resource Optimization: Analyze resource usage and optimize allocation for improved performance.
  • Security Fortification: Detect security incidents like unauthorized access, privilege escalation, and container breakouts.
  • Troubleshooting Efficiency: Debug performance issues and pinpoint the root cause of problems.

This blog dives deep into using eBPF for security, specifically detecting unauthorized access attempts.

Detecting Unauthorized Access with eBPF

Let’s uncover unauthorized access attempts within your cluster using eBPF’s system call tracing capabilities:

1. Setting Up Your Toolkit:

Before we begin, ensure you have bcc (BPF Compiler Collection) and kubectl installed on your Kubernetes cluster:

  • Install bcc: sudo apt-get install bpfcc-tools
  • Install kubectl (if not already installed): Refer to official installation instructions.

2. Crafting an eBPF Program:

Here’s a basic eBPF program to trace execve system calls within a specific pod:


#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/slab.h>

int trace_execve(struct pt_regs *ctx, struct filename *filename) {
  char comm[TASK_COMM_LEN];
  bpf_get_current_comm(&comm, sizeof(comm));

  if (bpf_get_current_pid_tgid() == PID_TGID) {
    bpf_trace_printk("Unauthorized execve by process %s (PID: %d) on file %s\n", comm, bpf_get_current_pid(), filename->name);

  return 0;

This program tracks the execve system call and logs unauthorized attempts by comparing the process ID (PID) with a specified target PID you want to monitor.

3. Attaching the eBPF Program:

Use bpftool to compile and load your eBPF program:

  • Compile: gcc -O2 -target bpf -c trace_execve.c -o trace_execve.o
  • Load: bpftool prog load trace_execve.o /sys/fs/bpf/trace_execve

4. Monitoring and Analysis:

Now, with your eBPF program attached, you can start monitoring for unauthorized access attempts:

bpftool trace attach -p "$(pidof kubelet)" /sys/fs/bpf/trace_execve

This command attaches the program to the kubelet process, monitoring the kubelet for unauthorized execve calls.

Best Practices for eBPF in Kubernetes

While eBPF offers immense power, it’s crucial to follow best practices:

  • Clearly Defined Objectives: Identify what you want to monitor or control before deploying eBPF programs. This streamlines your approach.
  • Controlled Environment Testing: Test your eBPF programs in a non-production cluster to ensure they work as expected without causing disruption.
  • Resource Usage Monitoring: Keep an eye on eBPF program resource consumption to avoid performance issues.
  • Regular Reviews and Updates: Stay updated with eBPF and Kubernetes developments, and regularly review and update your programs for effectiveness and compatibility.
  • Security Measures Implementation: Since eBPF interacts with the kernel, secure your programs and infrastructure. Only trusted individuals should deploy them.

By adhering to these guidelines, you can leverage eBPF’s capabilities while maintaining security and cluster health.

Beyond Security: The Broader eBPF Landscape

eBPF is a rapidly evolving technology with applications beyond Kubernetes. It’s used for network monitoring, security, observability, and more, with companies like Netflix and Google utilizing it for deeper infrastructure insights and control.


eBPF empowers you to detect specific incidents within your Kubernetes cluster, enhancing security and safeguarding its integrity. Embrace eBPF’s flexibility and efficiency to build a robust defense against potential security threats. Remember to explore its full potential for monitoring, troubleshooting, and evolving your security strategies alongside the ever-changing Kubernetes landscape.

Previous Post